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"Method of executing a cryptographic protocol between 
two electronic entities" 

The invention relates to a method of executing a cryptographic protocol 
between two electronic entities, one of them being, for example but not 
exclusively, a smart card. The invention relates more particularly to a perfecting 
of the said protocol to prevent "attacks", that is to say fraud attempts based on 
the analysis of the equipment whilst operating, in particular by means of 
measurements of the current consumption during the execution of such a 
cryptographic protocol initiated by a defrauder. 

It is known that certain encrypted electronic entities, in particular 
microcircuit cards, are vulnerable to attacks based on the analysis of certain 
parameters during an operational phase. It is said that information can "leak" 
from a calculation made in the card, typically the execution of a cryptographic 
protocol initiated by the defrauder in possession of the card. The parameters 
analysed during the execution of such a protocol can be, typically, differences in 
computing time or electromagnetic radiations during the execution of the 
computation but, above all, the current consumption by the electronic entity for 
which an attempt is being made to break the code. 

Thus, the conventional attack consists in causing the electronic entity 
which has fallen into the hands of the defrauder to execute a certain number of 
cryptographic protocols based on random messages, and therefore destined for 
failure, but having the consequence of having executed each time by the entity 
(the microcircuit card) a chain of operations known by the abbreviation DES 
(Data Encryption Standard) whilst analysing the current consumption during 
each execution of the said DES. The purpose of this attack is to discover the 
secret code of the said entity. As regards the DES, this is a well known 
algorithm, very widely used at present in the field of bank cards or that of access 
control cards. 

By way of example, in the framework of a normal authentication between 
an entity A, for example a server, and an entity B, for example a microcircuit card 



in which the DES is programmed, the exchanges of information between the two 
entities are as follows: 

- the server A requests the card B to send a message, A and B being 
assumed to be in possession of the same key. 

5 - B sends any message and retains it in memory. 

- A applies the DES to the message using its key and returns the result to 
the card B. 

- At the same time, the card B applies the DES to the message which it 
has sent to the server A by making use of its own key. It obtains a result which is 

10 compared with that generated by the server A. If the two results are identical, the 
authentication is validated. 

Furthermore, in the case of a fraud, that is to say in the case where the 
defrauder has the card and is seeking to determine the key, the defrauder can 
connect the card to a reader with which he will be able to transmit messages to it 
15 and connect it to means of recording the current consumption during the 
execution of the operations which it carries out. 

On the basis of these simple means, the defrauder forms a system F 
which he connects to the card in place of the server A. 

The process is then as follows. F requests a message from the card 
20 exactly as in the case of initialising an authentication. B sends this message. F 
sends another message to B presumed to be the result of treatment by the DES 
of the message sent by B. This message is of course incorrect. However, B 
makes use of its own key to execute a DES in order to obtain a result for the 
purpose of comparing it with the (incorrect) message sent by F. The result of this 
25 comparison is inevitably negative but the defrauder has succeeded in initiating 
the execution of a DES by B. During the execution of the said DES, the current 
consumption is detected and stored. 

If F is capable of having a certain number of DES carried out by the card 
B, under the same conditions, and of storing the current consumption each time, 
30 it is possible to implement an attack whose principle is known. This attack, called 
"DPA" (Differential Power Analysis) makes it possible to reconstitute the secret 
key of the entity B. 
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The document WO 99/63696 aims at countering attacks of this type by 
reducing the exploitable information capable of "leaking" during the execution of 
algorithms. In order to do this it suggests, in particular, introducing hazards in the 
cryptographic protocols in order to increase the number of cycles necessary in 
5 order to discover the secret key. 

The invention proposes a precise parry to an attack of the "DPA" type by 
the random complementing of certain operations of the DES. 

The invention applies more particularly to entities using the DES but it is 
also applicable, as will be seen below, to other entities (microcircuit cards) using 
10 algorithms other than the DES provided that the latter consists a succession of 
operations having certain properties which shall be explained later. 

More precisely, the invention relates to a method of generating a 
cryptographic protocol between a first electronic entity and a second electronic 
entity subject to attack, according to which any message is generated, on the 
15 basis of which a chain of operations is carried by the said second entity resulting 
in the generation of a resultant or response message, the said response being 
compared with the result of another similar processing applied to the said 
message and carried out by the said first entity, characterised in that, at least in 
certain stages of the said chain of operations, the said second entity carries out 
20 either an operation of a chosen type or the same operation complemented, the 
choice depending on a random decision and in that the said response is 
constituted by the result of the last operation of the said chain, possibly 
complemented. 

The complementing can be carried out either byte by byte, by doing the 
25 exclusive OR of the current byte randomly with one of the two hexadecimal 
values 00 and FF, or bit by bit, by processing the eight consecutive bits of the 
current byte together and doing the exclusive OR with a number chosen 
randomly, at each processed bite, from among the 256 hexadecimal values from 
00 to FF. 

30 Among the operations capable of being complemented may be quoted the 

operation called the exclusive OR or an operation of permutation of the bits of 
the message or of an intermediate result obtained whilst carrying out the said 



chain of operations, that is to say, according to the described example, after 
execution of a given operation of the DES. It is also possible to mention the 
operation of indexed access to a table or any operation which is stable in 
comparison with the application of the exclusive OR function, in particular the 
5 operation consisting in transferring the message or a previously mentioned 
intermediate result, from one location to another, of a storage space. 

According to one possible embodiment, there is defined in the said 
second entity two chains of operations for the processing of the said message, 
one of the chains consisting of a series of data operations and the other chain 
0 consisting of a series of the same operations complemented and a final 
complementing and it is decided randomly to execute one of the two chains of 
operations on each reception of a message coming from the said first entity. 

According to another embodiment, for the time being considered 
preferable, the method consists in using the said message or an intermediate 
5 result resulting from the execution of a preceding operation of the said chain, in 
applying a new operation of the said chain to it, or this same operation 
complemented, depending on the state of a random parameter associated with 
this new operation, in updating a complementing counter and in taking into 
account the state of this counter at the end of the execution of the said chain of 
operations in order to decide on the final configuration of the said response. 

According to yet another advantageous variant, the method consists in 
using the said message, or an intermediate result of the execution of a preceding 
operation of the said chain, in applying to it a new operation of the said chain or 
this same operation complemented, depending on the state of a random 
parameter associated with this new operation and in transmitting, from operation 
to operation, information forming part of the said intermediate results, necessary 
for the final configuration of the said response. 

Furthermore, it has been found that the difference between the number of 
times when the operations are carried out in a normal fashion and the number of 
times when they are carried out with complementing, during the execution of the 
DES or similar, must not be too great in order that the method may retain all of 
its efficiency with respect to the above-described attack. Consequently, the 



# • 



method is also noteworthy in that, whilst the said series of operations is being 
carried out, there is computed the difference between the number of times when 
the operations have been carried out in a normal fashion and the number of 
times when they have been carried out with complementing and in that the 
5 hazard is deleted on the decision to carry out operations in a normal or 
complemented manner, for a certain number of subsequent operations, when the 
said difference exceeds a predetermined value, in view of reducing the said 
difference. 

The invention will be better understood and other of its advantages will 
10 appear more clearly in the light of the following description of a method of 
executing a cryptographic protocol according to its principle, given solely by way 
of example and referring to the appended drawings in which: 

- figure 1 is a diagram illustrating a part of the execution of cryptographic 
protocol, more precisely the execution of a DES programmed according to the 

15 invention; and 

- figure 2 is a diagram illustrating another way of executing the DES 
according to the invention. 

Considering figure 1 more particularly, it is noted that the method of 
generating a cryptographic protocol between two electronic entities A and B, 

20 which is partially illustrated in the diagram, can be executed in one of these 
entities, typically in a smart card B when the latter is connected, for example, to a 
server A. The DES according to the invention is programmed in the smart card 
B. The latter also contains in its memory a secret key K which is capable of 
intervening in certain of the operations 0 lf 0 2) 0 3 ... O n which concatenate during 

25 the execution of the DES. During the generation of the cryptographic protocol, 
the first entity (typically the said server A) requests the second entity (the card B) 
to send a message M. The message generated by B is any message: it is 
retained in memory in the card B. Whilst A processes this message with its own 
DES the card B applies the DES according to the invention to the message M 

30 which it has sent to the server A, making use of its own key K. In the example, 
the DES applied to the card B comprises two chains of operation. A first chain 
Chi of operations Oi, 0 2 Q 3 O n corresponds to a conventional DES. 
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The second chain Ch 2 of operations 0 2 , 0 3 ... O n consists of the 
same succession of the same operations, but complemented. It is completed 
by a global complementing C of the result generated at the end of the last 

complemented operation O n . 

Furthermore, it is decided in a random manner to execute one or other of 
the two chains of operations at each generation of a said any message. This 
random choice is symbolised by a selector S a , interposed between the message 
M and each of the two chains of operations. The positioning of the selector is 
random, which means that each time a message M must be processed, one 
other of the two chains of operation Ch 1f Ch 2 is chosen in a random manner. 

If the non-complemented chain has been chosen, the result given by the 
last operation O n constitutes the response R which will be compared with the one 
which will have been generated by the server A. In the case where the chain of 
complemented operations has been selected, the result of the last operation 

O n is complemented and constitutes the response R. 

In the embodiment shown in figure 2, a DES programmed according to 
the principle of the invention appears again, that is to say comprising the usual 
operations of a DES: d, 0 2) 0 3 ... O n or the similar complemented operations 

Oi, 0 2 , O3 ... O n . The message itself can be complemented, that is to say used 
as it is at the start of the execution of the DES or in complemented form 

M. The key K is used for the execution of at least certain operations. However, 
the selection of the operations, (that is to say the choice between the normal 
operation and its complemented version) is decided randomly from one 
operation to the next. In other words, the message M or an intermediate result 

resulting from the execution of a preceding operation O i( (or Oj) is used, a new 

operation of the chain or its complemented version (that is to say O i+ i or O i+ i) 
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is applied to it depending on the state of a random parameter associated with the 
new operation. This random parameter is generated by the selector S f a . Thus, by 
following the path of figure 2, it can been seen that it is the message M, as it is, 

which is used and not its complement M (command 1 generated by S ' a ) that it is 

the operation which is selected (command 2) then the operation b 2 
(command 3), then the operation 0 3 (command 4) and finally the sequence 

ends with the selection of the operation O n (command n). The result of the last 

operation, O n on this occasion, can constitute the result R or the complemented 

result R which will be compared with another result generated by the entity A by 

using its own DES. The choice between R and R is given by the state of a 
complementing counter C c fed throughout the generation of the process by the 
selector S' a . In other words, the state of the complementing counter C c makes it 

possible to know if it is necessary to validate the result R or its complement R for 
the final configuration of the response to be compared with the computations of 
the entity A. 

It should be noted that a variant makes it possible to eliminate the counter 
C c . It suffices to transmit, from operation to operation, information forming part of 
the intermediate results and representing the number of times when a DES 
operation has been executed in complemented form. In this case, the 
intermediate results transmitted from one operation to another themselves 
comprise the information equivalent to that finally given by the counter C c in the 
embodiment shown in Figure 2. In this case, the last intermediate result given 

by the execution of the operation O n or O n is or is not complemented depending 
on a part of its own information which it contains. The final configuration of the 
response R is derived from it. 



Returning to Figure 1 or 2, it is noted that the selector S a or S' a is used for 
computing the difference between the number of times that the operations have 
been carried out in normal manner and the number of times they have been 
carried out with complementing. This difference d is stored and updated from 
5 operation to operation. 

When the difference exceeds a predetermined value, which can reduce 
the efficiency of the method against the DPA attack, an order is generated which 
momentarily inhibits the selector S' a . In other words, the hazard is eliminated 
from the decision to carry out operations in the normal or complemented way, in 
10 order to execute a certain number of subsequent operations in the mode (normal 
or complemented) least used up to that point. The hazard is put back into use 
when the value of the difference d has been sufficiently reduced. 

It is found that all of the operations of a conventional DES allow the 
implementation of the method according to one or other of the variants which 
15 have just been described. 

By way of example, there will be mentioned below certain operations 
capable of being complemented and consequently compatible with the 
implementation of the method which has just been described. 

An operation capable of being complemented is the operation known as 
20 the exclusive OR. 

Another operation capable of being complemented is a known operation 
of permutation of the bits of the message M or of an intermediate result obtained 
on carrying out the chain of operations. For the permutations (simple, 
compressive or expansive), the permuted mask will advantageously be stored in 
25 memory. 

Another operation capable of being complemented is the operation known 
as indexed access to a table. 

Another operation capable of being complemented is the transfer of the 
message or of an intermediate result obtained whilst carrying out an operation of 
30 the chain, from one location to another of a storage space defined in the entity B. 
In practice, a mask is applied in a random manner by exclusive OR to the 
transferred data. 



More generally, an operation capable of being complemented is a stable 
operation with respect to the application of the exclusive OR function, that is to 
say such that: 

V(x,y):f(xey)=f(x)ef(y) 
5 This is the case, among others, of the permutations and the transfer of 

data. 

As mentioned above, a conventional DES consists of operations meeting 
the criteria defined above but the invention also applies to any algorithm carrying 
out a function analogous to that of a DES, provided that it consists of operations 
10 meeting the conditions given above. 

Other operations of random nature can be combined with those which 
define the method described above. In particular, when several consecutive 
operations of the chain are commutative, it is possible to permute the order of 
their execution in a random manner. 



